diff --git a/system/configuration.nix b/system/configuration.nix
index bfeb7b4..1ea21c8 100644
--- a/system/configuration.nix
+++ b/system/configuration.nix
@@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, inputs, ... }: {
-  imports = [ ./gamemode.nix ./cachix.nix ./media-packages.nix ./boot.nix ];
+  imports = [ ./gamemode.nix ./cachix.nix ./media-packages.nix ./boot.nix ./vpn.nix ];
   packages.media-packages.enable = true;
 
   boot.kernelPackages = pkgs.linuxPackages_latest;
@@ -141,15 +141,6 @@
     enableSSHSupport = true;
     pinentryFlavor = "curses";
   };
-  # List services that you want to enable:
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  networking.firewall.enable = false;
-  services.mullvad-vpn.enable = true;
   security.sudo.wheelNeedsPassword = false;
 
   nix.registry.nixpkgs.flake = inputs.nixpkgs;
diff --git a/system/vpn.nix b/system/vpn.nix
new file mode 100644
index 0000000..daaa18a
--- /dev/null
+++ b/system/vpn.nix
@@ -0,0 +1,31 @@
+{ pkgs, ... }: {
+  networking.firewall.enable = false;
+
+  services.mullvad-vpn.enable = true;
+  networking.nftables = {
+    enable = true;
+    ruleset = ''
+      table inet allowSSH {
+          chain allowIncoming {
+              type filter hook input priority -100; policy accept;
+              tcp dport 9022 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
+          }
+          chain allowOutgoing {
+              type route hook output priority -100; policy accept;
+              tcp sport 9022 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
+          }
+      }
+
+      table inet allowNixServe {
+          chain allowIncoming {
+              type filter hook input priority -100; policy accept;
+              tcp dport 5000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
+          }
+          chain allowOutgoing {
+              type route hook output priority -100; policy accept;
+              tcp sport 5000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
+          }
+      }
+    '';
+  };
+}